topic Re: XDR add more values to incident classification in Cortex XDR Discussions

XDR add more values to incident classification

tlmarques — Tue, 17 Feb 2026 14:19:15 GMT

Hi everyone,

When I close each incident, I need to add the CSIRT taxonomy flags (from the ENISA Reference Incident Classification Taxonomy: https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy) to the case.

Does anyone know if that is possible?

Re: XDR add more values to incident classification

susekar — Tue, 17 Feb 2026 19:39:07 GMT

Hello @tlmarques,

Greetings for the day.

Based on the provided internal documentation and technical cases, the ability to add custom taxonomy flags (such as a CSIRT taxonomy) depends on whether you are using Cortex XDR (Standard/Pro) or Cortex XSIAM.

1. Cortex XDR (Standard/Pro):

In the standard version of Cortex XDR, there is currently no native support for creating user-defined custom fields or custom incident statuses specifically for taxonomies.

Workarounds for XDR

Resolution Comments:
When closing an incident, you can change the status to Resolved and manually add the CSIRT taxonomy flags into the Resolution Comment field.

Resolution Reason:
You can select from the predefined resolution reasons (e.g., True Positive, False Positive, Security Testing), but these cannot currently be customized to match ENISA or CSIRT taxonomies.

Public API
You can use the update_incident API to programmatically add comments or update incident details. A sample request body:

This approach allows structured tagging via comments, but it does not create searchable, normalized taxonomy fields.

2. Cortex XSIAM:

If your organization uses Cortex XSIAM, the capability to add these flags is natively supported through Editable Incident Layouts and Custom Incident Fields.

Custom Incident Fields:

You can create dedicated fields such as:

CSIRT Taxonomy
Incident Classification
ENISA Category

Path:
Settings > Configurations > Object Setup > Incidents

These fields can be text, dropdown, multi-select, or other structured types.

Editable Layouts:

You can modify the incident page layout to:

Display the custom taxonomy fields
Make them mandatory
Organize them under a dedicated classification section

This ensures analysts consistently apply the taxonomy during investigation or closure. You can also enforce population of these fields via playbooks.

Summary Comparison:

Feature	Cortex XDR	Cortex XSIAM
Custom Incident Fields	No	Yes
Custom Statuses	No	Yes
Editable Layouts	No	Yes
Recommended Approach	Use Resolution Comments or external orchestration	Use Custom Incident Fields

Recommendation:

If you are using Cortex XDR and require formal structured taxonomy fields, the only current options are comment-based tagging, API-driven enrichment, or external orchestration (e.g., via XSOAR).
If you are using Cortex XSIAM, implement Custom Incident Fields and enforce taxonomy usage through layout configuration and playbooks.
If structured taxonomy support is required in Cortex XDR, submit a Feature Request through your Sales Engineer or Account Team.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: XDR add more values to incident classification

tlmarques — Wed, 18 Feb 2026 13:26:01 GMT

@susekar

If I have integrated with (whether on-prem or cloud) for incident resolution through XSOAR, then I can perform the classification there. However, I only retrieve the data via XSOA

Do you know if this also works with XSOAR Cloud? I know it works in the on-prem version because I already have playbooks configured for that.

I assume the cloud version behaves the same way.

Re: XDR add more values to incident classification

tlmarques — Wed, 18 Feb 2026 18:10:12 GMT

@susekar

Another question, if you happen to know: is it possible to export all incidents to an external platform?

For example, can I export incident data to a SQL database, including fields such as IncidentID, Description, and CloseReason?

I need to perform a more granular classification of incidents — not just a true/false categorization — but also include additional flags aligned with European Union Agency for Cybersecurity (ENISA) taxonomy.

I'll use only

Re: XDR add more values to incident classification

susekar — Wed, 18 Feb 2026 19:19:17 GMT

Hello @tlmarques ,

Thank you for the response.

Yes, it is possible to export incident data from Cortex XDR to an external platform like a SQL database, though the method depends on whether you require a manual one-time export or a programmatic, automated integration.

1. Export Methods for Incidents:

To move data to an external SQL database, you have two primary options:

Public API (Recommended for Automation):
You can use the Cortex XDR Public API to programmatically retrieve incident data. The get_incidents and get_incident_extra_data endpoints provide structured JSON responses that include the fields you requested.
- IncidentID: Available as incident_id.
- Description: Available as description.
- CloseReason: Available via fields such as resolution_status and resolution_comment.
To implement this, you would write a script (e.g., in Python) to call the API and then insert that data into your SQL database. You will need to generate an API Key and API Key ID in the Cortex XDR console under Settings → Configurations → API Keys.
Manual Export (UI):
For manual analysis, you can export incidents directly from the console as a Tab-Separated Values (TSV) file, which can then be imported into a SQL database.
1. Navigate to Incident Response → Incidents.
2. Switch to Table View or Detail View (Mailbox View).
3. Apply desired filters and timeframes (within the 180-day retention limit).
4. Click the Export to file icon.